Release notes: SecureAuth CIAM 2.24.0
Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.24.0.
Release Date: March 31, 2025
Major additions and changes
- [ AUT-11791 ]
Added a new
None (PKCE)
authentication method for the generic OIDC IdP. Introduced aUse PKCE
flag when usingClient Secret
orPrivate Key JWT
.- [ AUT-11830 ]
Introduced a new feature flag:
enforce_system_admin_workspace_access
. When enabled, it restricts access to system/admin workspace entities via admin APIs unlessadmin_workspace_access
orsystem_workspace_access
is also enabled.APIs excluded from this enforcement:
Get workspace
Create, get, update, delete, and list IdPs
Additionally,
list workspaces
andlist servers
APIs now exclude system/admin workspaces if enforcement is enabled and access flags are not.
Minor enhancements
- [ AUT-11518 ]
When the the
acr
feature flag is enabled, new workspaces include sample ACRs with policies that replace legacy NIST policies. These are disabled by default to avoid appearing in the well-known configuration but can be enabled for testing. Policies use new validator to enforce any one or any two authentication factors.- [ AUT-11608 ]
Support for
max_age=0
in authorize flow to force user authentication, similar toprompt=login
.- [ AUT-11727 ]
Improved DCR behavior: if the policy fails, DCR scopes or authorization details are excluded instead of rejecting the entire request.
- [ AUT-11734 ]
Added client timeout support to the root CLI.
- [ AUT-11767 ]
Extended root APIs to support license management for tenants.
- [ AUT-11768 ]
Added tenant metadata to the authorization engine input.
- [ AUT-11815 ]
Added system APIs for managing client secrets.
- [ AUT-11818 ]
Exposed the Verify Authentication Code (System) API and enhanced Inspect OTP to return code type.
- [ AUT-11828 ]
Introduced granular system scopes:
manage_system_workspace
manage_admin_workspace
manage_regular_workspaces
These can replace
manage_configuration
in hub workspace management APIs.- [ AUT-11833 ]
Updated the client import/create API to support multiple base64-encoded certificates in the
certificate
field, separated by new lines. Deprecated the single-certificate format.- [ AUT-11839 ]
Added support to initialize admin/system workspaces via import configuration API.
- [ AUT-11932 ]
Extended Just-In-Time (JIT) provisioning with a new
pre
mode. In this mode, the user must already exist in the identity pool and is not auto-provisioned.Supported fallback settings:
"deny"
(default): Displays an access denied page and emitsjit_denied
audit event"allow"
: Authenticates the user via the IdP.
JIT audit logs now include provisioning mode and pre-provisioning settings.
- [ AUT-11934 ]
Under the
acr
feature flag:Default ACR values (
"0"
,"1"
) are no longer issuesOnly custom ACRs are stored in the SSO session
- [ AUT-11956 ]
Added more client details to template rendering, enabling better customization in themes.
- [ AUT-11961 ]
Extended the
Enforce ACRs
flag to validateacr_values
in the authorize flow. If none are specified (explicitly or via client defaults), the flow fails with an invalid request - applies only when theacr
feature flag is enabled.Also removed ACR enforcement for OpenBanking UK and KSA due to deprecated usage.
- [ AUT-11983 ]
Added test coverage (happy paths) for all endpoints introduced in the groups epic.
- [ AUT-11991 ]
Added configuration to disable user self-reset credential flows during authentication. Managed in Identity Pool settings.
- [ AUT-11998 ]
When the
acr
feature flag is enabled and set via Custom Login Page or IDP Post Authentication Script, the configured ACR policy is evaluated.- [ AUT-12034 ]
Enabled predefined ACRs in CDR, OpenBanking UK, OpenBanking BR, and KSA workspaces when the
acr
feature flag is enabled. These use policies to validate ACRs from the Custom Login Page or Post Authentication Script.Marked
acr_values
from server advanced settings as deprecated.
Bug fixes
- [ AUT-11784 ]
Added mobile/desktop toggle in theme preview to visualize templates across devices.
- [ AUT-11863 ]
Fixed incorrect
grant_type
in refresh_token flows. Now correctly showsrefresh_token
instead of the original grant type.- [ AUT-11981 ]
Added circuit breaker to the SMTP client for improved reliability.